Edit tour

Windows Analysis Report
LMSetup.exe

Overview

General Information

Sample Name:	LMSetup.exe
Analysis ID:	562516
MD5:	c915a8370a016f079adfea57cc00b46f
SHA1:	07b31c5bcad7bc0e9da24a46f180001709e1dbe5
SHA256:	315d36c57e181df7ee2730361847fb4311eef889df19c2ba8bd00759c46465e5
Infos:

Detection

Score:	10
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Drops files with a non-matching file extension (content does not match file extension)

Searches for the Microsoft Outlook file path

PE file contains strange resources

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

LMSetup.exe (PID: 6100 cmdline: "C:\Users\user\Desktop\LMSetup.exe" MD5: C915A8370A016F079ADFEA57CC00B46F)

LMSetup.exe (PID: 5264 cmdline: "C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576 MD5: ED2B2F8988D6123D440982052A65D364)

cmd.exe (PID: 5300 cmdline: cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dark.exe (PID: 6416 cmdline: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba" MD5: 6F5BF63BB69D04CFBF2BDB336BF3A767)

cleanup

Malware Configuration

⊘No configs have been found

Yara Overview

⊘No yara matches

Sigma Overview

⊘No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008DA0BB DecryptFileW,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008FFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008D9E9E DecryptFileW,DecryptFileW,

Source: LMSetup.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\cs\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\da\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\de-de\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\el\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-gb\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-us\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\es-es\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fi\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fr-fr\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\hu\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\it-it\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ja\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\nl-nl\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\no-no\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pl\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-br\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-pt\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ru\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\sv-se\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\tr-tr\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-cn\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-tw\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\cs\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\da\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\de-de\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-gb\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-us\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\es-es\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fi\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fr-fr\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\hu\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\it-it\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ja\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\nl-nl\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\no-no\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pl\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-br\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-pt\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ru\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\sv-se\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\tr-tr\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-cn\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-tw\readme.txt	Jump to behavior

Source: LMSetup.exe

Static PE information: certificate valid

Source: LMSetup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\DependencyExtension\WixDependencyExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: LMSetup.exe
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb\| source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdb source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixVSExtension\WixVSExtension.pdb source: dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: pdbaMicrosoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsdUhttp://schemas.microsoft.com/wix/2006/pdbs source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb,, source: JBM_Resolver_vs12.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdbL source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb( source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\dark\dark.pdb source: dark.exe, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: Microsoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsd source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixNetfxExtension\WixNetFxExtension.pdb source: dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixHttpExtension\WixHttpExtension.pdb source: dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, WixHttpExtension.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdb source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdbt source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDifxAppExtension\WixDifxAppExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\FWWindowNative\bin\Release\Win32\FWWindowNative.pdb source: FWWindowNative.dll.5.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_User\vs12\bin\Release\Win32\JBM_User_vs12.pdb source: u20.24.dr, JBM_User_vs12.dll.5.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdb source: JBM_SNMP_vs12.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixFirewallExtension\WixFirewallExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, WixFirewallExtension.dll.5.dr, u36.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDirectXExtension\WixDirectXExtension.pdb source: dark.exe, u35.24.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb source: JBM_Resolver_vs12.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixSqlExtension\WixSqlExtension.pdb source: dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\winterop.pdb source: dark.exe, 00000018.00000002.559615278.000000006FF45000.00000002.00000001.01000000.0000002B.sdmp, winterop.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdbSS source: JBM_SNMP_vs12.dll.5.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\vs\JBM_RAF_Static\bin\Release\Win32\JBM_RAF_Static.pdb source: JBM_RAF_Static.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdbh source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdb source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_00904440 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F7B87 FindFirstFileExW,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,

Source: LMSetup.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: LMSetup.exe	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp	String found in binary or memory: http://appsyndication.org/schemas/appsyn5rss/channel/as:applicationKDid
Source: LMSetup.exe, 00000005.00000003.406860034.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407217388.000000000A46F000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407122395.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407017293.000000000A46F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.wikipqxg
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: dark.exe	String found in binary or memory: http://schemas.m
Source: dark.exe	String found in binary or memory: http://schemas.micro
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: dark.exe	String found in binary or memory: http://wixtoolset.org
Source: dark.exe	String found in binary or memory: http://wixtoolset.org/
Source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp, dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp, dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixHttpExtension.dll.5.dr, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: u32.24.dr	String found in binary or memory: http://wixtoolset.org/documentation/error217/
Source: dark.exe, dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp, dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp, dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixHttpExtension.dll.5.dr, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr, u32.24.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: dark.exe, dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: dark.exe	String found in binary or memory: http://wixtoolset.org/releases/feed/v3.11
Source: dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://wixtoolset.org/releases/sMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.vs.xsd
Source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://wixtoolset.org/releases/uMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.iis.xsd
Source: dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://wixtoolset.org/releases/uMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.sql.xsd
Source: dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, WixHttpExtension.dll.5.dr	String found in binary or memory: http://wixtoolset.org/releases/wMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.http.xsd
Source: dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp	String found in binary or memory: http://wixtoolset.org/releases/yMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.netfx.xsd
Source: dark.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: LMSetup.exe, 00000005.00000003.410864207.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: LMSetup.exe, 00000005.00000003.425385234.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446818415.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430983857.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446748903.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431274097.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446576344.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430825935.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446492562.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425763015.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446371295.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426162319.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446234440.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425962737.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: LMSetup.exe, 00000005.00000003.425570469.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426981530.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers)
Source: LMSetup.exe, 00000005.00000003.424339254.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: LMSetup.exe, 00000005.00000003.428860600.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: LMSetup.exe, 00000005.00000003.429383019.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.428860600.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.429182478.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.429027170.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlD
Source: LMSetup.exe, 00000005.00000003.426859603.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426981530.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.427118337.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmloW~
Source: LMSetup.exe, 00000005.00000003.429383019.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers2
Source: LMSetup.exe, 00000005.00000003.429567950.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: LMSetup.exe, 00000005.00000003.430983857.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430825935.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersA
Source: LMSetup.exe, 00000005.00000003.424621358.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersDC
Source: LMSetup.exe, 00000005.00000003.429567950.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersJ
Source: LMSetup.exe, 00000005.00000003.446371295.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersS
Source: LMSetup.exe, 00000005.00000003.446234440.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersUK
Source: LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431274097.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: LMSetup.exe, 00000005.00000003.424621358.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424738869.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersd
Source: LMSetup.exe, 00000005.00000003.425763015.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426162319.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425962737.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersl1
Source: LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsFT
Source: LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comitudi
Source: LMSetup.exe, 00000005.00000003.428643198.0000000005323000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comp
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0

Source: dark.exe, 00000018.00000002.555816779.000000000129B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: LMSetup.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: C:\Users\user\Desktop\LMSetup.exe

File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\

Jump to behavior

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F001D
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008E41EA
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008C62AA
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F03D5
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008EC332
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008FA560
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F07AA
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008CA8F1
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008FAA0E
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008EFB89
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F0B6F
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F2C18
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F2E47
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008FEE7C
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FF437
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A302A12
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FBC12
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A301070
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A302C7A
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A308455
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FF2B7
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A305493
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A305CD3
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A308537
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FA93B
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FE173
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A300FBA
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FFFBB
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2F3186
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A30239A
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FD1FA
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A3033D7
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A303FC1
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A303A24
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FED17
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2FD05A
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Code function: 24_2_02EF407F
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Code function: 24_2_02EF42F6

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: String function: 008C1F13 appears 54 times
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: String function: 00900237 appears 683 times
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: String function: 008C3821 appears 501 times
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: String function: 00900726 appears 34 times
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: String function: 009032F3 appears 83 times

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: LMSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LMSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LMSetup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LMSetup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: WixDependencyExtension.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixDirectXExtension.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixFirewallExtension.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixGamingExtension.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixHttpExtension.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WixSqlExtension.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LMSetup.exe

File read: C:\Users\user\Desktop\LMSetup.exe

Jump to behavior

Source: LMSetup.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LMSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\LMSetup.exe "C:\Users\user\Desktop\LMSetup.exe"
Source: C:\Users\user\Desktop\LMSetup.exe	Process created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe "C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba"
Source: C:\Users\user\Desktop\LMSetup.exe	Process created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe "C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba"

Source: C:\Users\user\Desktop\LMSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008C45EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

File created: C:\Users\user\AppData\Local\Lenovo\

Jump to behavior

Source: C:\Users\user\Desktop\LMSetup.exe

File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\

Jump to behavior

Source: classification engine

Classification label: clean10.evad.winEXE@8/221@0/0

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_0090304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs	Suspicious method names: Microsoft.Tools.WindowsInstallerXml.Serialize.Fragment[] Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::Harvest(System.String)
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::.ctor()
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::set_SetUniqueIdentifiers(System.Boolean)
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs	Suspicious method names: System.Boolean Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::get_SetUniqueIdentifiers()
Source: WixUtilExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/PayloadHarvester.cs	Suspicious method names: Microsoft.Tools.WindowsInstallerXml.Serialize.RemotePayload Microsoft.Tools.WindowsInstallerXml.Extensions.PayloadHarvester::HarvestRemotePayload(System.String)
Source: WixVSExtension.dll.5.dr, Microsoft.Tools.WindowsInstallerXml/Extensions/VSProjectHarvester.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Extensions.VSProjectHarvester::HarvestProjectOutputGroupPayloadFile(System.String,System.String,System.String,System.String,System.String,System.String,System.String,Microsoft.Tools.WindowsInstallerXml.Serialize.IParentElement,Microsoft.Tools.WindowsInstallerXml.Serialize.Payload,System.Collections.Generic.Dictionary`2<System.String,System.Boolean>)

Source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr

Binary or memory string: SELECT `Component_` FROM `FeatureComponents` WHERE `Feature_` = ?iSELECT `FileSize` FROM `File` WHERE `Component_` = ?/SELECT * FROM `Feature`;SELECT `Cabinet` FROM `Media`

Source: WixGamingExtension.dll.5.dr, Tools.WindowsInstallerXml/Extensions/GamingCompiler.cs

Task registration methods: 'CreateTaskDirectoryRow', 'CreateTaskRootDirectoryCustomActions'

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008FFE21 FormatMessageW,GetLastError,LocalFree,

Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008E6B88 ChangeServiceConfigW,GetLastError,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_01

Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: cabinet.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: msi.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: version.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: wininet.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: comres.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: clbcatq.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: msasn1.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: crypt32.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: feclient.dll
Source: C:\Users\user\Desktop\LMSetup.exe	Command line argument: cabinet.dll

Source: LMSetup.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dark.exe	String found in binary or memory: ath> -xo output wixout instead of WiX source code (mandatory for transforms and patches) -? \| -help this help information Environment variables: WIX_TEMP overrides the temporary directory used for cab extraction, binary e
Source: dark.exe	String found in binary or memory: b\DependencyExtension_x86.wxs7"><field>WixAction</field><field>InstallExecuteSequence/InstallInitialize</field></row><row sourceLineNumber="C:\agent\_work\8\s\src\ext\DependencyExtension\wixlib\DependencyExtension_Platform.wxi20\|C:\agent\_work\8\s\src\ext\De
Source: dark.exe	String found in binary or memory: lib\DirectXExtension.wxs17"><field>CustomAction</field><field>WixQueryDirectXCaps</field></row><row sourceLineNumber="C:\agent\_work\8\s\src\ext\DirectXExtension\wixlib\DirectXExtension.wxs17"><field>WixAction</field><field>InstallUISequence/LaunchConditions
Source: dark.exe	String found in binary or memory: xtension.wxs*21"><field>WixAction</field><field>InstallExecuteSequence/LaunchConditions</field></row></table></section><section type="fragment" xmlns="http://schemas.microsoft.com/wix/2006/objects"><table name="Property"><row sourceLineNumber="C:\agent\_work\8
Source: LMSetup.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: LMSetup.exe	String found in binary or memory: InstallerPackages/installer/installer.zipd
Source: LMSetup.exe	String found in binary or memory: )InstallerPackages/installer/installer.zipd

Source: LMSetup.exe

Static file information: File size 49224728 > 1048576

Source: LMSetup.exe

Static PE information: certificate valid

Source: LMSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LMSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LMSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LMSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LMSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LMSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LMSetup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: LMSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\DependencyExtension\WixDependencyExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: LMSetup.exe
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb\| source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdb source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixVSExtension\WixVSExtension.pdb source: dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: pdbaMicrosoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsdUhttp://schemas.microsoft.com/wix/2006/pdbs source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb,, source: JBM_Resolver_vs12.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdbL source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixGamingExtension\WixGamingExtension.pdb( source: dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\dark\dark.pdb source: dark.exe, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: Microsoft.Tools.WindowsInstallerXml.Xsd.pdbs.xsd source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixNetfxExtension\WixNetFxExtension.pdb source: dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixHttpExtension\WixHttpExtension.pdb source: dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, WixHttpExtension.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdb source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixIIsExtension\WixIIsExtension.pdbt source: dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDifxAppExtension\WixDifxAppExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\FWWindowNative\bin\Release\Win32\FWWindowNative.pdb source: FWWindowNative.dll.5.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_User\vs12\bin\Release\Win32\JBM_User_vs12.pdb source: u20.24.dr, JBM_User_vs12.dll.5.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdb source: JBM_SNMP_vs12.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixFirewallExtension\WixFirewallExtension.pdb source: dark.exe, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, WixFirewallExtension.dll.5.dr, u36.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixDirectXExtension\WixDirectXExtension.pdb source: dark.exe, u35.24.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_Resolver\vs12\bin\Release\Win32\JBM_Resolver_vs12.pdb source: JBM_Resolver_vs12.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixSqlExtension\WixSqlExtension.pdb source: dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\winterop.pdb source: dark.exe, 00000018.00000002.559615278.000000006FF45000.00000002.00000001.01000000.0000002B.sdmp, winterop.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUtilExtension\WixUtilExtension.pdb source: dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\FW5DeviceApp\JBusCore.Native\JBusModules\JBM_SNMP\vs12\bin\Release\Win32\JBM_SNMP_vs12.pdbSS source: JBM_SNMP_vs12.dll.5.dr
Source:	Binary string: C:\jenkins\workspace\funnelweb10\funnelweb10_vs2017\Installer\vs\JBM_RAF_Static\bin\Release\Win32\JBM_RAF_Static.pdb source: JBM_RAF_Static.dll.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\wix\wix.pdbh source: dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, u32.24.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WixUIExtension\WixUIExtension.pdb source: dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp

Source: LMSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LMSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LMSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LMSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LMSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008EEAD6 push ecx; ret
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Code function: 5_3_0A2F9002 push eax; ret
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Code function: 24_2_02EA5360 push ecx; iretd
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Code function: 24_2_02F0A4A3 push esi; ret

Source: LMSetup.exe	Static PE information: section name: .wixburn
Source: LMSetup.exe.0.dr	Static PE information: section name: .wixburn
Source: vccorlib110.dll.5.dr	Static PE information: section name: minATL

Source: initial sample	Static PE information: section name: .text entropy: 6.92420163356
Source: initial sample	Static PE information: section name: .text entropy: 7.38047865037
Source: initial sample	Static PE information: section name: .text entropy: 7.81678730261
Source: initial sample	Static PE information: section name: .text entropy: 7.52939429346
Source: initial sample	Static PE information: section name: .text entropy: 7.60824281471
Source: initial sample	Static PE information: section name: .text entropy: 7.58506941708
Source: initial sample	Static PE information: section name: .text entropy: 7.49615358644
Source: initial sample	Static PE information: section name: .text entropy: 7.83645052643
Source: initial sample	Static PE information: section name: .text entropy: 7.44554243282
Source: initial sample	Static PE information: section name: .text entropy: 7.59436656349

Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u36
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u37
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u7
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u38
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u6
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FWWindowNative.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u39
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u5
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u32
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u33
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_StateMachine_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u34
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u2
Source: C:\Users\user\Desktop\LMSetup.exe	File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u35
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_InstallerUtils_Static.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u9
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_AppConfig_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_User_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5FWSDK_Net45_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Resolver_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_PluginCache_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u30
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u31
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u28
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u21
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u22
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u23
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_SNMP_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcr110.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcp110.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\vccorlib110.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u20
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_System_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u14
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_RAF_Static.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u15
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u16
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u17
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u10
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u11
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u12
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u13
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u18
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u19
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPToaster.exe
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\winterop.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Propertybag_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Encryption_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Locale_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u43
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u44
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPInstallerNative.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5JCore_vs12_x86.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_WixInstaller_Static.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u0
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u40
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u41
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u42

Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u36
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u37
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u7
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u38
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u6
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FWWindowNative.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u39
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u5
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u32
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u33
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_StateMachine_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u34
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u2
Source: C:\Users\user\Desktop\LMSetup.exe	File created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u35
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_InstallerUtils_Static.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u9
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_AppConfig_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_User_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5FWSDK_Net45_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Resolver_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_PluginCache_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u30
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u31
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u28
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u21
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u22
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u23
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_SNMP_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcr110.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\msvcp110.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\vccorlib110.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u20
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_System_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u14
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_RAF_Static.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u15
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u16
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u17
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u10
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u11
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u12
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u13
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u18
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u19
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPToaster.exe
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\winterop.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Propertybag_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Encryption_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_Locale_vs12.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u43
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u44
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPInstallerNative.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\FW5JCore_vs12_x86.dll	Jump to dropped file
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\JBM_WixInstaller_Static.dll	Jump to dropped file
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u0
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u40
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u41
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u42

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\cs\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\da\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\de-de\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\el\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-gb\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\en-us\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\es-es\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fi\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\fr-fr\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\hu\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\it-it\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ja\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\nl-nl\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\no-no\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pl\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-br\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\pt-pt\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\ru\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\sv-se\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\tr-tr\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-cn\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\License\zh-tw\license.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\cs\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\da\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\de-de\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-gb\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\en-us\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\es-es\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fi\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\fr-fr\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\hu\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\it-it\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ja\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\nl-nl\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\no-no\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pl\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-br\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\pt-pt\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\ru\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\sv-se\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\tr-tr\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-cn\readme.txt	Jump to behavior
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	File created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\Readme\zh-tw\readme.txt	Jump to behavior

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008FFF61h
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008FFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008FFF5Ah

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Memory allocated: 4750000 memory reserve \| memory write watch
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Memory allocated: 3B50000 memory reserve \| memory write watch
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Memory allocated: 53D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Memory allocated: 5550000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Memory allocated: 5570000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\user\Desktop\LMSetup.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LMSetup.exe

API coverage: 10.0 %

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_009097A5 VirtualQuery,GetSystemInfo,

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_00904440 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F7B87 FindFirstFileExW,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008D9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008C3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,

Source: C:\Users\user\Desktop\LMSetup.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008C394F GetProcessHeap,RtlAllocateHeap,

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008F48D8 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008EE9DC SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008EE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008EE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\LMSetup.exe	Code function: 0_2_008F3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\LMSetup.exe	Process created: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe "C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba"

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_00901719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_00903A5F AllocateAndInitializeSid,CheckTokenMembership,

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll VolumeInformation
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Queries volume information: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll VolumeInformation

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008EEC07 cpuid

Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008D4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008C6037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_0090887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008C5195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

Source: C:\Users\user\Desktop\LMSetup.exe

Code function: 0_2_008C61DF GetUserNameW,GetLastError,

Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	1 Disable or Modify Tools	1 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 Scheduled Task/Job	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	3 Command and Scripting Interpreter	Logon Script (Windows)	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Scheduled Task/Job	Logon Script (Mac)	1 Scheduled Task/Job	2 Software Packing	NTDS	46 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	Network Logon Script	31 Masquerading	LSA Secrets	4 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Modify Registry	DCSync	11 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	12 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://schemas.m	0%	URL Reputation	safe
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.fontbureau.comitudi	0%	Avira URL Cloud	safe
http://appsyndication.org/schemas/appsyn5rss/channel/as:applicationKDid	0%	Avira URL Cloud	safe
http://www.fontbureau.comp	0%	Avira URL Cloud	safe
http://en.wikipqxg	0%	Avira URL Cloud	safe
http://appsyndication.org/2006/appsyn	0%	URL Reputation	safe
http://www.fontbureau.comalsFT	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	LMSetup.exe, 00000005.00000003.410864207.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.m	dark.exe	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersJ	LMSetup.exe, 00000005.00000003.429567950.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/releases/feed/v3.11	dark.exe	false		high
http://www.fontbureau.com/designersA	LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	LMSetup.exe, 00000005.00000003.430983857.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430825935.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp, dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp, dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixHttpExtension.dll.5.dr, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr	false		high
http://www.fontbureau.com/designers	LMSetup.exe, 00000005.00000003.425385234.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446818415.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430983857.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446748903.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431274097.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446576344.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.430825935.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446492562.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425763015.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446371295.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426162319.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.446234440.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425962737.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	LMSetup.exe	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersDC	LMSetup.exe, 00000005.00000003.424621358.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/news/	dark.exe, dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp, dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp, dark.exe, 00000018.00000002.556968676.0000000005592000.00000002.00000001.01000000.0000001D.sdmp, dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixHttpExtension.dll.5.dr, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr, u32.24.dr	false		high
http://schemas.micro	dark.exe	false	URL Reputation: safe	unknown
http://wixtoolset.org/releases/yMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.netfx.xsd	dark.exe, 00000018.00000002.556908564.0000000005532000.00000002.00000001.01000000.00000026.sdmp	false		high
http://www.symauth.com/cps0(	dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersS	LMSetup.exe, 00000005.00000003.446371295.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers)	LMSetup.exe, 00000005.00000003.425570469.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426981530.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.htmloW~	LMSetup.exe, 00000005.00000003.426859603.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426981530.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.427118337.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/releases/	dark.exe, dark.exe, 00000018.00000002.558081633.0000000005B32000.00000002.00000001.01000000.00000029.sdmp, dark.exe, 00000018.00000002.556468998.0000000002F42000.00000002.00000001.01000000.00000022.sdmp, dark.exe, 00000018.00000000.486739438.0000000000B02000.00000002.00000001.01000000.0000001C.sdmp, dark.exe, 00000018.00000002.556500646.0000000002F62000.00000002.00000001.01000000.00000023.sdmp, dark.exe, 00000018.00000002.556332220.0000000002EA2000.00000002.00000001.01000000.0000001F.sdmp, dark.exe, 00000018.00000002.556392871.0000000002EF2000.00000002.00000001.01000000.00000020.sdmp, dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp, WixFirewallExtension.dll.5.dr, u36.24.dr, u35.24.dr	false		high
http://wixtoolset.org/releases/uMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.iis.xsd	dark.exe, 00000018.00000002.556830066.0000000005472000.00000002.00000001.01000000.00000025.sdmp	false		high
http://wixtoolset.org	dark.exe	false		high
http://www.fontbureau.com/designers/cabarga.html	LMSetup.exe, 00000005.00000003.428860600.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersl1	LMSetup.exe, 00000005.00000003.425763015.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.426162319.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.425962737.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comitudi	LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	false		high
http://appsyndication.org/schemas/appsyn5rss/channel/as:applicationKDid	dark.exe, 00000018.00000002.557734588.0000000005862000.00000002.00000001.01000000.00000028.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/releases/sMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.vs.xsd	dark.exe, 00000018.00000002.559434031.0000000005ED2000.00000002.00000001.01000000.0000002A.sdmp	false		high
http://www.fontbureau.com/designersd	LMSetup.exe, 00000005.00000003.424621358.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424738869.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comp	LMSetup.exe, 00000005.00000003.428643198.0000000005323000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersb	LMSetup.exe, 00000005.00000003.431133719.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.431274097.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/	dark.exe	false		high
http://wixtoolset.org/telemetry/v	dark.exe	false		high
http://en.wikipqxg	LMSetup.exe, 00000005.00000003.406860034.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407217388.000000000A46F000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407122395.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.407017293.000000000A46F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/documentation/error217/	u32.24.dr	false		high
http://www.fontbureau.com/designers:	LMSetup.exe, 00000005.00000003.429567950.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dark.exe, 00000018.00000002.556628591.0000000003085000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/	LMSetup.exe, 00000005.00000003.424339254.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.424486510.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlD	LMSetup.exe, 00000005.00000003.429383019.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.428860600.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.429182478.000000000A46B000.00000004.00000800.00020000.00000000.sdmp, LMSetup.exe, 00000005.00000003.429027170.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/releases/uMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.sql.xsd	dark.exe, 00000018.00000002.557417725.0000000005742000.00000002.00000001.01000000.00000027.sdmp	false		high
http://wixtoolset.org/releases/wMicrosoft.Tools.WindowsInstallerXml.Extensions.Xsd.http.xsd	dark.exe, 00000018.00000002.556791687.00000000053E2000.00000002.00000001.01000000.00000024.sdmp, WixHttpExtension.dll.5.dr	false		high
http://appsyndication.org/2006/appsyn	LMSetup.exe	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers2	LMSetup.exe, 00000005.00000003.429383019.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersUK	LMSetup.exe, 00000005.00000003.446234440.000000000A46B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comalsFT	LMSetup.exe, 00000005.00000003.429990990.0000000005323000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562516
Start date:	28.01.2022
Start time:	23:40:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	LMSetup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean10.evad.winEXE@8/221@0/0
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Successful, ratio: 93.9% (good quality ratio 86.3%) Quality average: 71.5% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Created / dropped Files have been reduced to 100
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target LMSetup.exe, PID 5264 because there are no executed function
Execution Graph export aborted for target dark.exe, PID 6416 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: LMSetup.exe

Simulations

Behavior and APIs

Time	Type	Description
23:42:54	API Interceptor	2x Sleep call for process: LMSetup.exe modified

Process:	C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.34389537982896
Encrypted:	false
SSDEEP:	3:YTyLSMRWQYHJHKNm8HQ84:YWLSwWpZ
MD5:	61F20331CD484522E8503163361D7BBC
SHA1:	615B46AE0BF94F50862B61961AB756D3092600A7
SHA-256:	707624B59A3A8DFAB92BABB860322D75711F7F2742A412312B23ED13C9A3BD28
SHA-512:	E5E18816D751C134597162FBE2972D26FB8A10160F503243A8CB6B3D85B1DEB441BBA4CAD0C2F888835E82CB73F6A5FDC70DD94D7804211C4B61620751EEAEC3
Malicious:	false
Reputation:	low
Preview:	{"version":"1.0.4835.18","cachestate":"final"}

Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u36
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u37
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u7
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u38
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u6
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u39
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u5
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u32
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u33
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u34
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u35
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDifxAppExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u9
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u30
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u31
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUtilExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixFirewallExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u28
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u21
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u22
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u23
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDirectXExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixIIsExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\vccorlib110.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u20
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixDependencyExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u14
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u15
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u16
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixGamingExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u17
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u10
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u11
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u12
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u13
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u18
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\wix.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u19
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\TAPToaster.exe
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixVSExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixSqlExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixHttpExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixUIExtension.dll
Source: C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\WixNetFxExtension.dll
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u43
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u44
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u0
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u40
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u41
Source: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe	Dropped PE file which has not been started: C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\UX\u42

Process:	C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe
File Type:	Microsoft Cabinet archive data, 7941732 bytes, 111 files
Category:	dropped
Size (bytes):	7941732
Entropy (8bit):	7.998498399657889
Encrypted:	true
SSDEEP:	196608:bq89B9XAl43iVlYkceddiXLw+Kjh7u/2yN51jC4xVblq0tNcVSZ4:br7MBAKjBu/d1m4TtFy
MD5:	43C42D19035D99EB5DDEFB7C15604D40
SHA1:	227D55DA8D2D7DBA40071690D5F8F5EFEB87DF02
SHA-256:	9C846B5338230ECA5EB1181A232CB0D7BA70B3953DDF747A35F13DD1068E60EE
SHA-512:	5B54762E44A6950879C7CC08DADADF729D029B20827260E8B242610ACF5D6676B87649DA3CF243EDA14E77539F7A6C17FA840BE87F9A3956619DB34F49EF3121
Malicious:	false
Preview:	MSCF....d.y.....d...........o...........J....Xw......nw.....[.w..... .w.......w.....c.w.....\|.w................P.. .0...........4P.\ .u0.7....z.....P!l .u1..p...}....rK.p .u2.:.........rK.k .u3.dn.........P+l .u4..@..o_+...4P.\ .u5.....o.-...4P.\ .u6.....oK;...4P.\ .u7..!..o.>....P.. .u8..$..H?@...4P.\ .u9.....HcA...4P.\ .u10.."..H[B...4P.\ .u11.....H}E...4P.\ .u12.....H_K...4P.\ .u13..z..H.O...4P.\ .u14..~..HwQ...4P.\ .u15..2..H.T...4P.\ .u16.....H'`...4P.\ .u17.....H.i...4P.\ .u18.....H.w...4P.\ .u19.....HYz...4P.\ .u20.....H){...4P.\ .u21..'..H.}...4P.[ .u22..)...%....4P.[ .u23.&....N.....P+l .u24......O.....P+l .u25.>....P.....P+l .u26......Q.....P,l .u27......Q....4P.\ .u28......i....rO.. .u29......i....4P.[ .u30......@....rK.p .u31...........rK.p .u32..........rK!p .u33..p........rK!p .u34..@........rK#p .u35......X....rK$p .u36......(....rK,p .u37..........rK.p .u38...........rK.p .u39......X....rK4p .u40...........rK5p .u41...9.......rK8p .u42...........rK,p .u43..`........rK

Process:	C:\Users\user\Desktop\LMSetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8550648
Entropy (8bit):	7.968086138202255
Encrypted:	false
SSDEEP:	196608:KfUVq89B9XAl43iVlYkceddiXLw+Kjh7u/2yN51jC4xVblq0tNcVSZT:6Or7MBAKjBu/d1m4TtFp
MD5:	ED2B2F8988D6123D440982052A65D364
SHA1:	78C33B6C5E06055208D212EB582D217DA128C5B3
SHA-256:	C19F9CB4159FC8BFB27F1935BEED5A5695BD45EF1BB32B7F14747C007D77EBFE
SHA-512:	1DBF4BAFED1896A5389C37178845ABE22229A45AE60C2CCF0A8B8327F128E29280378F56D6C63ED8BFCB42EA05E80997BBBCA255F39D99C14835F522ED64B849
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................p......"S....@..............................................V..........h\.......0...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....V.......X..................@..@.reloc...=...0...>..................@..B................................................................................................................................................................................................................................................

Entrypoint:	0x42e2a6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	d7e2fd259780271687ffca462b9e69b7

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	10/30/2019 5:00:00 PM 10/30/2020 4:59:59 PM
Subject Chain	CN=Toshiba Tec Corporation, OU=Solution Design Dept 1, O=Toshiba Tec Corporation, L=Shinagawa-ku, S=Tokyo, C=JP
Version:	3
Thumbprint MD5:	611783128FBC54307F929EF62774D416
Thumbprint SHA-1:	BEAA872989B75F3B3CA92C03AFEA85EF28ADC2D9
Thumbprint SHA-256:	41FD0DFDD309E9FCDD2BD56721705CD45C6BA536538890334A63FDB9B43D7647
Serial:	7EDF80DB761DCE3989C9B7EAD9E4D19F

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x686b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x25610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2eeff88	0x1c90
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x93000	0x3dfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67650	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x676a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68234	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49937	0x49a00	False	0.531468856112	data	6.57000604641	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x1ed60	0x1ee00	False	0.313638663968	data	5.11422830126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x1730	0xa00	False	0.274609375	data	3.15265940276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.wixburn	0x6c000	0x38	0x200	False	0.12890625	data	0.749962524453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x25610	0x25800	False	0.0701888020833	data	3.03595133921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x93000	0x3dfc	0x3e00	False	0.809727822581	data	6.79433546957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x6d3b8	0xca3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x6e05c	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7e884	0x4c28	data	English	United States
RT_ICON	0x834ac	0x4228	data	English	United States
RT_ICON	0x876d4	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 8192, next free block index 40	English	United States
RT_ICON	0x88cfc	0x25a8	dBase IV DBT of `.DBF, block length 18432, next free block index 40	English	United States
RT_ICON	0x8b2a4	0xea8	dBase IV DBT of `.DBF, block length 4608, next free block index 40	English	United States
RT_ICON	0x8c14c	0x10a8	dBase IV DBT of @.DBF, block length 8192, next free block index 40	English	United States
RT_ICON	0x8d1f4	0x8a8	dBase IV DBT of @.DBF, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x8da9c	0x988	dBase IV DBT of 0.DBF, block length 4608, next free block index 40	English	United States
RT_ICON	0x8e424	0x6c8	data	English	United States
RT_ICON	0x8eaec	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x8ef54	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_MESSAGETABLE	0x8f4bc	0x2840	data	English	United States
RT_GROUP_ICON	0x91cfc	0xbc	data	English	United States
RT_VERSION	0x91db8	0x384	data	English	United States
RT_MANIFEST	0x9213c	0x4d2	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
USER32.dll	PeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
GDI32.dll	DeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
KERNEL32.dll	GetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
RPCRT4.dll	UuidCreate

Description	Data
LegalCopyright	Copyright (c) 2020 Toshiba Tec Corporation, All Rights Reserved.
InternalName	setup
FileVersion	1.0.4835.18
CompanyName	Toshiba Tec Corporation
ProductName	Lenovo Universal Printer 2 driver
ProductVersion	1.0.4835.18
FileDescription	Lenovo Universal Printer 2 driver
OriginalFilename	LMSetup.exe
Translation	0x0409 0x04e4

Target ID:	0
Start time:	23:41:35
Start date:	28/01/2022
Path:	C:\Users\user\Desktop\LMSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LMSetup.exe"
Imagebase:	0x8c0000
File size:	49224728 bytes
MD5 hash:	C915A8370A016F079ADFEA57CC00B46F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	5
Start time:	23:41:38
Start date:	28/01/2022
Path:	C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe" -burn.clean.room="C:\Users\user\Desktop\LMSetup.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576
Imagebase:	0x8e0000
File size:	8550648 bytes
MD5 hash:	ED2B2F8988D6123D440982052A65D364
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	21
Start time:	23:43:09
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd" /c C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\dark.exe "C:\Users\user\Desktop\LMSetup.exe" -nologo -x "C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	22
Start time:	23:43:11
Start date:	28/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LMSetup.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\cacheInfo.txt

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\gui\9511D742-CA40-42CE-A2BE-0175921F1BCF\5ac5cb72096d48a6558be5f0603b9946

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\gui\9511D742-CA40-42CE-A2BE-0175921F1BCF\5ac5cb72096d48a6558be5f0603b9946_defaultmenu

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\gui\9511D742-CA40-42CE-A2BE-0175921F1BCF\5ac5cb72096d48a6558be5f0603b9946_welcome

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\gui\9511D742-CA40-42CE-A2BE-0175921F1BCF\memcache

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\gui\cacheid

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\Lenovo.UNI\Lenovo.UNI.zip

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\Lenovo.UNI\manifest.json

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\dsdk\dsdk.zip

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\dsdk\manifest.json

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\installer\installer.zip

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\installer\manifest.json

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\printerinstaller\manifest.json

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\printerinstaller\printerinstaller.zip

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\sdk\manifest.json

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\InstallerPackages\sdk\sdk.zip

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\packages.json

C:\Users\user\AppData\Local\Lenovo\UNIInstaller\cache\plugins\~state\40d704470259297f93bee626c12b71fb_Installer_state

C:\Users\user\AppData\Local\Temp\ugtn53ek\ugtn53ek\ux.cab

C:\Windows\Temp\{06CB1A7C-0362-456A-A8DC-276F5C54CBCA}\.cr\LMSetup.exe

C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\BootstrapperApplicationData.xml

C:\Windows\Temp\{58155FEA-9500-424F-A76C-4B75D45447D7}\.ba\BootstrapperCore.config

Windows Analysis Report
LMSetup.exe

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre